YAMSIA (Yet Another Massive SQL Injection Attack)

Forgot to crosspost from TM Site

Clever mnemonics aside, last week we have seen another large scale SQL injection attack (or YAMSIA, if you prefer), this time being orchestrated by a botnet that has become known as Asprox—but first, a history lesson.

The code behind the Asprox botnet seems to have been around for quite some time now, but it was only in the last year that it has upgraded to a botnet where its main focus is to send phishing emails. This has changed in late May / early June of this year when the bots where issued a new set of commands–namely to start searching the Web for certain .ASP pages - and then launching an SQL injection attack against these pages (hmm … I wonder where they got that idea from).

Figure 1. The modus operandi that has become more and more common.

Compromised sites have a piece of JavaScript (JS) embedded in them, which in turn points to another JS file on a seperate domain (the first technique has been taught in Bouncing Malware 101). These domains are part of a fast-flux network hosted on the botnet itself (a technique widely used by another well-known botnet, Storm). The JS file name was originally b.js, but this has since changed and, in the latest wave, it is the highly imaginative ngg.js.

Figure 2. Sample of malicious script (with some parts removed)

As you can see, this script creates a cookie that expires after 9 days. This serves as an infection marker on the page, as it then “bounces” the threat once more to the page pointed to by the iFrame.

Depending on what country you are browsing from, the Asprox botnet may decide not to let you access this page, in which case, you will be redirected to the legitimate www.msn.com. If you are “lucky” enough to be allowed access to the page, however, your browser will be promptly slapped in the face with a barrage of vulnerabilities–all with the goal of having your computer join in all of the fun by hooking your PC up to the botnet.

SQL injection attacks can be very effective as they are normally completely hidden to the Internet user—everything is quietly downloaded in the background without their knowledge. We were sure this was a criminal act, and as such have added a detection for the threat, as well as the bouncing JavaScript (JS_IFRAME.ADN) itself.

Unfortunately, security is still a major issue with the majority of Web sites, and until it becomes one of the core design goals from the start of a Web site project, expect to see more YAMSIA (Can you tell I’m trying to get this mnemonic to stick?) blogs in the future.

Breaking News! Iran Invaded! Well…maybe

Forgot to repost from TM Site

Picture the scene: You wake up in the morning and make your way on autopilot to work at your job in Tehran, then switch on your work PC to check your email. One in particular stands out as being a bit different from the others. You read it once, and then just to be sure read it a second time, then run to look out the window. Seeing no tanks in the streets and a significant lack of mushroom clouds, you return to your desk and take another look…

Anxious to find out what’s going on, you download the video and run it to find out more information.

Wrong move.

Now, longtime readers of this blog (well, most people to be honest) should look at that email and be immediately skeptical. They might even go check out a legitimate new sites like CNN or BBC. However, enough people will open your email inboxes this morning, download the video (hint: it’s not really a video, it’s just another Storm/Nuwar/Zhelatin/Peacomm variant detected by Trend Micro as TROJ_NUWAR.AB) and proceed to help the Storm gang’s authors make even more money. The Storm network may have decreased since its heyday — but its size still makes the approximately 20,000 soldiers seem small in comparison.

It’s a sad world we live in where we have to educate people to be careful of what they get in their email, to be suspicious of every site they visit, and to be constantly on the lookout for scams.

Needless to say, Trend Micro customers are protected from this threat, both with our latest pattern file, and in the cloud with our Smart Protection Network. For everyone else, think before you click.

Additional information — here are samples of spam pertaining to this attack:

Ultimate Travel Bag

Not a security related post - but heres one that is close to my heart. Decided to put this question out there for anyone who can help.

I travel quite a lot for short trips (2-3 days) where I need to have my Laptop case. Personally airports annoy the hell out of me, especially going through security. The last time I was in the airport, standing behind a queue of people who took ages finding all of the metal objects in their pockets, forgetting to remove laptops from bags etc - an idea struck me.

There must be an easier way than this

And so I have started my search for the ultimate short trip laptop bag. The type of bag that has enough space for your laptop, and all of your clothes etc. I decided to start with a short list of the features this type of bag would need to have.

• Needs to fit in an overhead compartment of an aircraft - by Aer Lingus's standards thats 56cms x 45 cms x 25 cms or 22in x 18in x 10in
• The laptop must be easy to remove for airport scanners, not stuck somewhere in the depths of the bag.
• Pouches at the front for passport/tickets
• Compartment for metal coins and keys. Basically a small compartment that you can put toss all of your metal items. It would be even better if this was detachable
  
• Enough room and compartments for all of your laptop stuff - chargers, dvds etc.
• Enough room for 2 days worth of clothes, including shoes - and the option to be able to pack a suit.
  
• Rollers & and a long handle. I'm over 6 foot so stooping while dragging a bag is a pain

All of that should not be rocket science. I would be interested in hearing what other people would have in their "ultimate" laptop travel bag, and of course any suggestions on existing bags I could get

All your info are belong to us

Google Health has opened its door today, and the ramifications are quite frankly worrying. Don't get me wrong, I am a big fan of Gmail and the Google Search Engine (best Hacking tool on the planet), but this is a worrying development. Google Health aims to be a portal to organise and maintain all of your health records...lets think about this all for a second.

On the face of things Google is a company that aims to be number one in the field of Online Advertising, and they clearly are, through the use of highly targetted adverts. What they are really all about is Data Aggregation. To quote Sir Francis Bacon - "Knowledge is Power", and that is what Google are all about - sorting and categorising every single piece of information about every person on the planet.
Now thats not necessarily a bad thing. Just because they have access to all of that information does not necessarily mean they will abuse it - but the fact remains that they can, or indeed they can be forced by another group (i.e. a government) to hand over certain information. Having all of your information in one place like that is just asking for trouble.

Do I sound overly paranoid (my tinfoil hat is the height of fashion)? Well let me ask you this question. I have a mate called Dave (Dave may or may not be hypotethical). Dave runs a small data storage company and for a low low price (free), has kindly offered to store every email you recieve; catalog every site you visit (yes even the dodgy ones you swear you never go to); store all of your personal documents (both the ones on the web, and those on your pc); keep your personal calendar for you (not that you care that he knows where you will be every minute of the day); mind all of your private photos (which you have kindly cateogorised and labelled for him); and of course keep track off everybody you are acquainted with.

But wait - theres more! He will now keep all of your medical history safe for you as well! Remember that nasty rash "down there"; or the incident with the gerbil, the bungee rope and the rocket launcher - all neatly documented in case you ever need to access it.

But there is no need to be paranoid, because Dave would never do anything dodgy with your information. Afterall his Companies motto is "Don't be Evil"...

Wheres the Risk? Oslo apparently.

Just back (well a few days ago) from the RISK 2008 conference in Oslo, Norway. Overall I really liked this conference, although I did not get to attend all of the talks due to my average (read: non-existant) command of the Norwegian language, so as such I limited myself to the talks of an English speaking variety.

The conference was held in the Norwegian national football stadium (real football, not the version with body armour and 40 ad breaks), so the hosts, Mnemonic, had gone for a football theme. All of the organisers were dressed in Referees jerseys; Going over time by 5 minutes saw you recieving a yellow card, and in extreme cases a red would see an early end to your conference.

The first speaker up was Marcus Ranum, who delivered an excellent and very entertaining talk about how we are stuck dealing with all of the mistakes of the past, and how we must be much more careful going forward. He also has an interesting read on his website about the "6 Dumbest Ideas in Computer Security". The only other English presenations for the day where by Peter Finnegan on Oracle Security/Lack there off, and by Sebastien Deleersnyder explaining what OWASP was all about.

That evening Mnemonic put on an excellent drinks reception, and a really nice dinner. There was also a very good comedian, at least all of the locals were laughing, although he did a sketch about going through airport customs that was mostly in English and was great. The night was good craic overall, and hats off to Mnemonic for organising it.

The 2nd day of the conference started with Joanna Rutkowska's talk on Virtual Machine malware. This was a talk that I was really looking forward to - unfortunately my own presentation was up next so I spent most of the time down the back going over that. The bits I caught were as interesting as ever. My own presentation on "Fighting web-based, profit-driven threats" sparked quite a few questions from the audience (joys of being the only AV Speaker), especially from the afore mentioned Joanna. Eventually the organisers called time on the questions, but the spirited debate continued during the break attracting a bit of a crowd.

Essentially a lot of people where saying that a) pattern matching is dead b) counting unique md5's as a measure of the rise in malware is pointless c) we should fix the OS, not build on it.

On A I mostly agree - pattern matching on its own is not capable of dealing with the current threat landscape, but when complemented with other technologies like Behaviour Based detection, Web Threat Protection and Data Leak Protection, suddenly we have a decent defense-in-depth model.

Regardless of the fact that the number of unique samples has gone through the roof, the fact is the number of individual variants is also on the rise. Everyone knows that is trivial to generate 10,000 copies of the same malware - but you still need to deal with each of them, and thats why the malware industry does it. Even if you have only one brand of bullet, firing 10K at the target instead of 1 makes it a lot more likely you are going to do some damage

In an ideal world fixing the OS is a big step. Proper process isolation, data permissions, etc go along way to helping secure a system but the majority of malware attacks are still aimed at the most vulnerable part of the system - the part between the keyboard and the chair.

Anyhow - the other English presentation of the day was a really interesting talk by PDP of Gnucitizen.com (if you don't already regularly read it, you should). He gave a very nice run down of attacks against Web 2.0 that was both entertaining and informative, and was tied with Marcus's presentation as far I was concerned for the best at the conference.

Anyhow back now to a place where beer does not cost €10, but that may all change as I head to CARO in Amsterdam later this week.

Full Program of the Event
Copy of the Slides from my presentation

Jokes on you

There is a new variant of a well known threat which has been spotted cashing in on April Fool's day in a the last few hours? Anyone want to hazard a guess as to which one it is?

Wasn't that hard of a question I guess - the Storm Gang are at it again.
Too lazy to actually create their own image to represent the holiday, the group simply googled "April Fools" and used the first image that showed up. So far emails are being spammed out with the Subject Line "April Fool's Day", and the executables on the site are called "foolsday.exe" or "funny.exe". However if the gangs past behaviour is as predictable as normal, these will change several times over the next 48 hours to similarly themed names. (EDIT: In fact they have added "Kickme.exe" in the time it took me to type this)

Needless to say Trend Micro customers are already being protected using our Web Threat Protection technology - blocking access to the sites themselves, preventing the user from any exposure to the threat. We are also adding detection proactively for the binary files themselves.

Overall I doubt that this incident will be remembered in the same way as other classics such as the value of pi being changed to 3.0 and the hotheaded naked ice borer , but this is definately one prank you do not want to fall for.

Also posted to Trend Micro Blog

Fluxed up beyond all recognition

The Guardian Newspaper have published a piece on "Fast-Flux" networking, a system used by many of todays cyber criminals in order to make it more difficult to track them down and shut down their sites. The article is up here and features 2 quotes from yours truely (well one from me, and one from my evil twin Robert McCardle - you can tell us apart as he has a goatee).
The idea of Fast-flux has actually been around for a while, but it was not until the Storm botnet started using it that it began to gain widespread use. The key to really making it work however is the DNS servers, which are normally hosted on "Bulletproof" networks that allow these criminals to run their attacks without fear of an ISP coming along and shutting them down, although the gang behind Storm did actually have to move hosting companies in December due to the amount of attention they had drawn on themselves.

Speaking of Fast-Flux, if you want to take a short break from the web with friends - I fully recommend Fluxx , a neat little card game that is almost completely random.

EDIT: Scan of newspaper article attached (Click for full size):